My question is about how difficult is for someone having compromised the PSK and sniff all (DT)LS handshake, (so getting the NONCE), to get the encryption keys?
I understand :
getting the pre-master secret is straight forward
but then, what about the master secret MS?
because MS is calculated with PRF_HMAC_SHA256 which generates different MS for each sessions , how easy can it be for an attacker to re-calculate the right MS, then the encryption keys?
Assuming you are talking TLS_PSK without DH or RSA (which are an option), if an attacker compromises the PSK and watches the nonces go past in the clear, yes the attacker can easily compute the master secret.
Section 2 of RFC4279 details how the premaster secret is computed. Without DH or RSA, there is no, indeed can be no*, additional entropy added.
The master secret is a function of the premaster secret and two nonces sent in the clear at the beginning of the handshake. So if the handshake is captured, so are the nonces. So all the inputs to compute the master secret are known.
* Any additional entropy that could be added must be shared. TLS_PSK assumes that the PSK is the only shared secret value between the two parties.
